Federal Times Blogs
You may want to think twice before opening that social media account for your agency.
In an April 4 memo, the Office of Management and Budget put agencies on notice that employees may be in violation of the Antideficiency Act by agreeing to open-ended terms of agreement for certain websites. You’ve seen them, the lists of terms and conditions that most of us bother not to read.
The good news: If you don’t have contracting authority, then your consent on the government’s behalf isn’t binding. For contracting officials, however, that’s a different story.
The Antideficiency Act prohibits agencies from spending funds that have not been appropriated or from accepting voluntary services. Here’s what the Justice Department’s Office of Legal Counsel has to say on the social media/Antideficiency Act issue:
…in certain circumstances, a Federal employee with contracting authority violates the Antideficiency Act when he or she opens an agency account for a social media application that is governed by Terms of Service (TOS) that include an open-ended indemnification clause. An Antideficiency Act violation may occur in such a situation because an agency’s agreement to an open-ended indemnification clause could result in the agency’s legal liability for an amount in excess of the agency’s appropriation.
Apparently the issue is serious enough for OMB to call on the Federal Acquisition Regulatory Council to get involved:
OMB has requested that the Federal Acquisition Regulatory Council (FAR Council) undertake a rulemaking-through the issuance ofan interim rule-to amend the Federal Acquisition Regulation (FAR) to require contracting officers to put contractors on notice that any [terms of service], [end user license agreements] or other agreement requiring the government or government-authorized end user to indemnify the contractor for damages, costs, or fees incurred is unenforceable against the government or end-user and will be read out ofthe agreement to prevent violations of the Antideficiency Act.
To be on the safe side, here’s a list of amended terms of service agreements from the General Services Administration.
After transforming information technology operations at the Veterans Affairs Department, Roger Baker has moved back to the private sector to continue serving federal customers from the outside.
Baker has been named chief strategy officer for Virginia-based Agilex Technologies, a professional IT services firm known for its work in developing IT projects in smaller, faster increments, or agile development. In this newly created position, Baker will assist federal customers with IT modernization efforts and lowering IT operations and will also play a key role in expanding the company’s federal reach. At VA, Agilex has been a major player in advancing the department’s mobile initiatives through several contract awards, including one to develop mobile applications for VA clinicians.
After a four-year tenure, Baker stepped down last month as VA’s CIO and assistant secretary for information and technology. Prior to that, Baker held executive roles at several companies, including General Dynamics Information Technology and CACI International.
Thousands of rogue Apple, Android and Windows devices found operating on the Army’s network could pose major security risks to sensitive data and Army network operations, according to a recent report.
Army commands failed to report more than 14,000 commercial smartphones and tablet computers being used across the service for research activities, data collection, mobile device pilot programs and other tasks, according to the March 26 inspector general report. Army Corps of Engineers, Engineer Research and Development Center in Vicksburg, Miss., and the U.S. Military Academy at West Point, N.Y., were among the locations using unapproved devices.
Army officials at those sites did not ensure devices met security standards to protect data, and they failed to require all smartphones and tablets be wiped clean of data if reported lost or given to a new user. A lack of clear guidance from the Army chief information officer resulted in officials forgoing training and user agreements before handing out mobile devices.
“The Army did not implement an effective cybersecurity program for commercial mobiles devices,” the report said. “If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information.”
“The Army CIO inappropriately concluded that [commercial mobile devices] were not connecting to Army networks and storing sensitive information; and, therefore, did not” require the same security standards used for other information systems, according to the report.
The IG review was conducted between April 2012 and February 2013 and did not include Blackberry devices.
The IG office set an April 25 deadline for the Army to comment on its recommendations, which include creating clear policy for tracking and reporting mobile device purchases and ensuring mobile devices follow the same security standards as other information systems. Earlier comments provided by the director for the Army CIO Cybersecurity Directorate were deemed nonresponsive.
As of February, DoD reported more than 600,000 commercial mobile devices in use and in a pilot test phase, including 470,000 Blackberrys, 41,000 Apple devices and 8,700 Android devices. The challenge, however, is managing those devices.
Army officials are eager for DoD’s mobile device contract to be awarded this month. The management software will eventually manage, monitor and enforce security for 8 million devices. The software will allow the Army to remotely wipe data from devices and monitor what applications users download, websites they visit and data viewed or modified on their devices.
The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.
The House Oversight and Government Reform Committee will vote on legislation Wednesday to overhaul how agencies buy and manage information technology.
Rep. Darrell Issa, R-Calif., introduced the Federal Information Technology Acquisition Act on Monday after months of circulating the draft bill to industry groups for feedback.
Rep. Gerry Connolly, D-Va., has expressed general support for the bill, which has since undergone revisions to address concerns voiced by industry and others. (Click here to view the revisions)
Under Issa’s new plan:
- CIOs at 16 major civilian agencies, including Veterans Affairs and Agriculture department, must be presidential appointees or designees and report directly to the head of their agency. Today, most CIOs at large agencies are political appointees but not all of them report to the head of their agencies.
- The Government Accountability Office would review the effectiveness of the CIO Council, an interagency forum charged with improving federal IT practices. The council must also submit annual reports to Congress on its progress.
- CIOs would track and report the costs and savings under the administration’s data center consolidation initiative.
- The Office of Management and Budget would house a CollaborationCenter, aimed at assisting agencies with challenging IT projects. In the previous draft, agencies would have been required to consult with experts at a so-called commodity IT center for contracts exceeding $50 million. Use of newly created acquisition centers of excellence would be optional.
- OMB must publish the status of 80 percent of the government’s $80 billion IT portfolio on the Dashboard, and OMB must ensure data is current and accurate. Today, only 50 percent of the IT budget is publicly available on the Dashboard.
- CIOs would have greater flexibility to fund cloud projects through cloud service working capital funds at their agencies.
Federal officials are working to streamline the government’s security program for cloud products and services.
A critical part of the Federal Risk and Authorization Management Program (FedRAMP)mandates that cloud vendors hire a third-party organization to verify they meet federal security requirements. Today, the General Services Administration and the National Institute of Standards and Technology must first approve those third party-organizations, or 3PAOs. Then there’s the task of monitoring the performance of the 3PAOs and recommending whether to renew or revoke their status.
In a request for information to industry, GSA asked for input on how to privatize the accreditation process for 3PAOs. As FedRAMP evolves into a fully operational program within the next month or two, GSA is identifying ways to scale the program and get more cloud contractors through the FedRAMP process.
To date, there are 16 companies designated as approved 3PAOs, but that number is expected to increase. Only two vendors have completed the FedRAMP process.
GSA wants to contract with a privatized board to accredit 3PAOs, based on program standards. GSA wants industry to comment on the evaluation process for 3PAOs and how long those companies should have to comply with new accreditation standards. Those responses are due Feb. 26.
The Veterans Affairs Department’s chief information officer told employees Friday he will resign, the department confirmed.
In a message to IT staff, Baker did not say when his last day will be and offered no explanation about his resignation. The DorobekINSIDER hinted that Baker may leave as soon as March 1.
Here’s some of what Baker told employees:
I would like to thank each of you for your hard work and dedication in serving our VA customers and our Nation’s Veterans. Over the last four years, VA IT has come to be recognized as a leader in federal IT. We have improved our relationships with our IT customers; established one of the highest performing product delivery organizations in the world; achieved visibility to our networks and medical devices; focused our decision-making based on metrics and not by anecdotes; and become an IT organization that is seen as an investment for the VA rather than an expense.
Most critically, VA IT has become the backbone for the transformation of the VA into a 21stCentury organization that the Secretary has envisioned. Your ability to deliver the technology necessary to support that transformation and to reliably meet our commitments to our customers is fundamental to that transformation.
Under Baker’s watch, VA instituted a program that drastically improved the number of IT projects delivered on schedule.
Baker also has a senior role in VA’s partnership with the Defense Department to integrate their electronic health record systems. That project recently came under fire from lawmakers, who criticized the departments’ decision to revise plans to create a single electronic health record system.
Tags: Roger Baker
President Barack Obama will issue an executive order Wednesday aimed at tightening the nation’s cybersecurity.
Senior administration officials, including White House Cybersecurity Coordinator Michael Daniel and Army Gen. Keith Alexander, head of U.S. Cyber Command, will provide details on cyber policy Wednesday morning at the Commerce Department. Officials will provide an update on cybersecurity priorities for 2013, including information sharing and reducing cyber risks, Commerce announced Tuesday.
The executive order is said to include provisions that will establish voluntary cybersecurity standards for critical infrastructure sectors, such as transportation and energy, where federal regulators have authority to enforce those standards. However, the order could not provide liability protections for companies that follow those standards but are attacked.
The order is also expected to direct agencies to share cyber threat information with companies operating critical infrastructure.
Lawmakers failed last year to pass comprehensive cybersecurity legislation, but Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger, D-Md., plan to reintroduce cyber legislation Wednesday.
The Cyber Intelligence Sharing and Protection Act (CISPA), HR 624, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Companies that share information under the bill’s provisions or protect their networks would be granted legal protections if they’re subject to a cyber attack. The bill passed the House in April.
Tags: executive order
Agencies are anxiously awaiting governmentwide standards for securing smartphones and tablet computers.
Come May, they will have a checklist of security standards to use, organized by the sensitivity of data employees share or access on mobile devices and who data is shared with, whether another federal agency or citizens.
Federal officials working on the project refer to the guidelines as a playbook or list of security standards that agencies should consider when using mobile devices. The playbook will include five common ways that most agencies use mobile devices and provide recommendations for securing devices in those environments, said Margie Graves, deputy chief information officer at the Department of Homeland Security.
Graves, who spoke at mobile security event Thursday, is working with the National Institute of Standards and Technology, the Defense Department and the Justice Department to develop the playbook.
The security standards are based on revised NIST standards released Tuesday for final comment. Ron Ross, a senior computer scientist and information security researcher at NIST, said the final document is expected in April.
While many of the existing NIST standards can be applied to mobile devices, some may not be applicable, Ross said. For example, one NIST security standard recommends agencies disable or restrict unnecessary functions or services that their information systems may provide. For mobile devices, that may mean restricting what applications employees can download or disabling mobile capabilities that aren’t needed for work and could be a security risk.
DHS’ Graves described the playbook as an itemized checklist of security standards categorized by use case. However, she wouldn’t provide details on the use cases. DHS CIO Richard Spires has said these standards will help agencies in developing bring-you-own-device programs, where employees are able to use their personal devices for work.
How agencies implement or tailor security standards to meet their needs will vary, Graves said. For instance, the intelligence community, law enforcement agencies and DoD may use similar use cases for mobile, while DHS’ Federal Emergency Management Agency would need to use mobile devices to communicate with the public during a natural disaster.
Some guidance will be released in March on how agencies can best secure mobile devices used for communicating with other agencies. The entire playbook, however, will not be released until May.
CGI Federal this month became the second vendor to complete a new security review process for all federal cloud products and services.
The Virginia-based company already provides cloud computing services for several agencies, including the Department of Homeland Security, the General Services Administration and the Environmental Protection Agency.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products and is housed within GSA.
North Carolina-based Autonomic Resources was the first company to receive what’s called a provisional authority to operate from FedRAMP’s joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
GSA has not said how many cloud vendors will be certified through FedRAMP this year, but as of last month more than 80 companies were awaiting security reviews.